Re: ipfilter: keep state per-interface?

To: tech-net%netbsd.org@localhost
Subject: Re: ipfilter: keep state per-interface?
From: Egerváry Gergely <gergely%egervary.hu@localhost>
Date: Mon, 26 Dec 2016 21:05:49 +0100

Hi,

I assume that is because I keep state on the packets when they
arrive on vr1.


You are right - state table has precedence over filter rules.

Is this a bug, or is it working as designed?  For some reason, I
assumed there to be per-interface state tables and hence
consideration of the vr0 rules (i.e. I assumed a 'keep state' on a
vr1 rule would only> skip looking at the vr1 rules for future
matching packets)


It's by design. There's only one state table.

--
Gergely EGERVARY

Follow-Ups:
- Re: ipfilter: keep state per-interface?
  - From: Egerváry Gergely

References:
- ipfilter: keep state per-interface?
  - From: Timo Buhrmester

Prev by Date: ipfilter: keep state per-interface?
Next by Date: Re: ipfilter: keep state per-interface?
Previous by Thread: ipfilter: keep state per-interface?
Next by Thread: Re: ipfilter: keep state per-interface?
Indexes:

Home | Main Index | Thread Index | Old Index